Cybersecurity

Decrypting outbound data a key to security

digital key

When researchers leave the Library of Congress, their bags are checked to ensure they’re not carrying out valuable documents. But not nearly enough federal agencies are doing the same with encrypted data.

Failing to decrypt and inspect outbound network traffic poses a security risk, says Randy Wood, federal vice president at F5 Networks, an application security firm.

Wood said he recently gave a briefing to military personnel and contractors at the Space and Naval Warfare Systems Command. The presentation covered the virtues of decrypting and inspecting outbound network traffic, and “it was as if people had seen fire for the first time,” Wood said at an Aug. 6 media briefing hosted by his firm. Firms like Wood’s could have much to gain commercially from greater federal focus on decrypting network traffic for threats.

The absence of decryption played a significant role in the recent hack of the Joint Chiefs of Staff’s unclassified email network, a former intelligence official familiar with the network told FCW. The Russian hackers believed to be behind the breach took advantage of encrypted traffic that the Joint Chiefs were not decrypting and inspecting, the former official said on the condition of anonymity. Moreover, the hackers could have been targeting the unclassified network in part because classified data occasionally spills onto it.

The broader subject of encryption has gotten more attention from lawmakers since the large-scale hacks of the Office of Personnel Management. Security practices such as encryption should “become the norm rather than the exception,” Rep. Elijah Cummings (D-Md.) said during a June 16 House Oversight and Government Reform Committee hearing. (A Department of Homeland Security official has nonetheless said that encryption would not have protected the data in the case of the OPM breaches.)

There is not much in the way of public measurements of how much federal network traffic is encrypted. Civilian agencies aside from DHS and the Justice Department are less likely to encrypt data at rest or in transit, according to Chris Cummiskey, a former DHS official turned IT security consultant. Agencies should prioritize more sensitive data for protection rather than rush to encrypt everything, he told FCW. “The government just doesn’t have a very good handle on the myriad datasets that they have in terms of prioritizing” what to secure, Cummiskey said.

Brian Taggart, a senior systems engineer at ClearShark, an IT vendor that works with F5 Networks, argues that the coming use of secure sockets layer (SSL), a common encryption protocol, for exfiltration in data breaches makes decrypting SSL traffic an imperative. “I think what’s most remarkable about some of the attacks we’ve seen in the last 18 months is [that] the data [exfiltration] was not SSL, but it’s going to be,” he said at the media briefing.

Malware recently uncovered by cybersecurity firm FireEye underlines that point. The malware, which the firm dubbed Hammertoss and linked to the Russian government, uses encrypted sessions on Twitter to relay commands and extract data from breached networks.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.